Interlock Ransomware: New Threat Targets Windows & FreeBSD

A new ransomware group dubbed “Interlock” has emerged, setting its sights on both Windows and FreeBSD operating systems. This multi-platform approach signals a concerning trend in the ransomware landscape, expanding the potential attack surface for organizations worldwide.

According to Trend Micro Research, who recently published a report on this new threat, “Comprehending Interlock’s modus operandi is key to shaping a robust security posture. This involves enhancing detection, response, and managing vulnerabilities across a wide range of environments.”

FreeBSD is a popular open-source operating system widely used in servers and critical infrastructure. By targeting FreeBSD, Interlock can disrupt essential services, increasing pressure on victims to pay hefty ransoms. As the report highlights, “Interlock targets FreeBSD as it’s widely utilized in servers and critical infrastructure. Attackers can disrupt vital services, demand hefty ransoms, and coerce victims into paying.”

Interlock doesn’t limit itself to FreeBSD; it also targets Windows systems. To evade detection and hinder analysis, the Windows variant utilizes a custom packer. It employs various techniques to maintain a low profile, including clearing Windows event logs and self-deletion. “Interlock clears multiple Windows event logs, including Application, Security, Setup, System, and Forwarded Events. With self-deletion enabled, it drops a DLL that eliminates the main binary using rundll32.exe,” the report states.

Interlock appears to employ the increasingly common double-extortion tactic. After encrypting files and appending them with the “.interlock” extension, the attackers leave a ransom note revealing that sensitive data has been stolen. Victims are then instructed to contact the threat actors via TOR to negotiate a ransom, with the threat of public data leaks adding pressure to comply.

The emergence of Interlock underscores the importance of a proactive and multi-layered security approach. Organizations should prioritize vulnerability management, implement robust detection and response mechanisms, and regularly back up critical data to minimize the impact of ransomware attacks.

Trend Micro has provided the following SHA1 hashes to help identify Interlock activity:

• 8a38825ee33980a27ab6970e090a30a46226f752
• 5cc81e0df62e0d68710e14b31e2270f2ec7ed166
• 1cb6a93e6d2d86d3479a1ea59f7d5b258f1c5c53

Related Posts:

• CVE-2024-7589: OpenSSH Pre-Authentication Vulnerability in FreeBSD Exposes Systems to RCE
• FreeBSD Issues Urgent Security Advisory for CVE-2024-43102 (CVSS 10)